Server 2003 Active Directory Infrastructure

To make the "Remove Network Connections from Start Menu" policy apply to all users in the domain except those in the Research group, Gary needs to link it to the domain and filter it by denying the Read and Apply Group Policy permissions to the Research group.

[A: If he were to link the policy to the Pharmaceutical OU, the VPN connection would be available to users in other OUs as well as to members of the Research group.]

[B: Disabling this policy in a GPO linked to the OU would have no effect and the Network Connections folder would still be available to everyone in the domain.]

[C: Enabling the policy at the domain level and then disabling it at the OU level would allow the connection to be available to all members of the Pharmaceutical OU, because the GPO applies by default to all members of the Authenticated Users group. He could remove the Read and Apply Group Policy permissions from members of this group, but this is a far more cumbersome means of solving this problem, and is more subject to error.]

You can simulate all these effects and several others when using RSoP in planning mode. RSoP evaluates all GPOs that will affect the user in her new position and informs you of the settings that will be applied. It includes changes in membership in all security groups, not just universal groups. It also includes effects such as a use of a slow network connection or loopback processing. However, it does not include the use of a smart card for logon as this does not affect how her computer will behave once she is logged on.

Because OU-based GPOs are applied after domain-based GPOs, it is likely that the administrator of the Financial OU has configured settings on the FinancialPolicy GPO that conflict with settings configured in the Default Domain Policy GPO. Amanda can ensure that the settings in the Default Domain Policy GPO are applied to all domain users by specifying the No Override option for this GPO. This ensures that no settings in this policy will be overwritten by any OU-based GPO.

[A & B: Block Policy Inheritance prevents policies linked to a higher level container from applying at a lower level. Its use would prevent the Default Domain Policy GPO from applying at all in the Financial or other OUs.]

[D: No Override specified at the OU level would prevent policies specified on the GPO on which it is specified from applying at a child OU if one existed; in this case it wouldn't do anything.]

[E & F: Loopback processing causes administrative template settings for computers based on the location of the computer object alone; user-based settings are not applied. It is intended for situations such as publicly accessible computers like building lobbies.]

The Delegation of Control Wizard provides John with the ability to delegate partial control of an OU to a user such as Norma. He can also grant her account specific permissions on the Active Directory objects (in this case, user accounts), assuming her user account is in the same OU.

[B: It is not possible to grant her this type of control by assigning permissions to the OU.]

[C: John could add Norma's account to the Account Operators group, but this would grant her control over all user accounts in the domain, which is too much authority]

New to Windows Server 2003, the forest trust enables you to create a trust relationship between all domains in two forests. On the Direction of Trust page of the New Trust Wizard, you can specify which direction the trust relationship must operate.

Any time you seize a FSMO role to another computer, any attempts to bring the computer from which the role was seized back online will result in more severe problems including possible corruption of Active Directory. This includes any attempt to restore its System State from backup. The only way to restore the seized computer to service is to reformat its hard drive, and reinstall Windows and Active Directory. Once you have done this, you can transfer the role back to this computer.

The Knowledge Consistency Checker (KCC) works from a domain controller known as the Inter-Site Topology Generator (ISTG) at each site and designates a bridgehead server at each site to take charge of intersite replication. In a few instances, it is possible that the KCC might designate a server that is underpowered and overloaded with other responsibilities (for example, global catalog server). If the bridgehead server cannot accommodate the replication traffic, replication problems can result. You can designate a preferred bridgehead server to overcome these problems.

[A: You cannot designate which computer acts as the ISTG.}

[C & D: This type of problem is not solved by adding site links or site link bridges, especially in this scenario where T1 lines have been used for all WAN links.]

[E: Adding global catalog servers will not help and may even aggravate the problem encountered here.]

The GUID, UPN, and LDAP Distinguished Name must be unique across the forest, or else an error will occur when the second account is created.

It is most likely that the computer does not have a partition formatted with NTFS. Because the computer was running Windows 98, all partitions would have been formatted with either FAT or FAT32. Because the shared SYSVOL folder must be created on a NTFS partition, dcpromo will create an error message and ask him to convert a partition to NTFS before proceeding with Active Directory installation.

[A: Although Microsoft recommends additional RAM to ensure the smooth operation of Active Directory, 128 MB is the minimum supported and this will not cause the observed failure.]

[B: It is not necessary to have a second hard disk, although use of a second disk will improve performance by enabling the separation of the database and SYSVOL folders.]

[D: Although DNS is required for Active Directory operation, dcpromo will search for a DNS server and will offer to install one for you if a suitable DNS server is not available.]

The infrastructure master should never be placed on the same server that is acting as the global catalog Server. If these two roles are held by the same computer, the infrastructure master will not function properly because it does not contain any references to objects that it does not hold. However, servers holding these two roles should be well connected to each other and located on the same site, so that they can communicate readily with each other. The schema master should generally be placed on the same server that is acting as the domain naming master and the RID master should generally be placed on the same server that acts as the PDC emulator. However, it is not strictly essential that these two combinations be followed, only best practice. The schema/domain naming master server should also be well connected to whatever server the administrators use to modify the schema or create new domains

By default, when you create new sites, all sites are linked together with a default link called DEFAULT-IP-SITE-LINK. This results in the 56k link in this scenario replicating at the same interval as the Denver to Boise link. Bertha needs to create a new site link and assign it a 24-hour replication interval.

[A: Site links are bridged by default, and a new site link bridge does not help.]

[C: Deleting the Boise site and merging it with the Denver site would increase its replication traffic without helping with this problem.]

[D: Using SMTP as a site link protocol would limit replication to the schema and configuration partitions of Active Directory only.]

[E: Increasing the site link cost does not reduce the amount of replication traffic.]

When a user attempts to log on from the branch office, the query goes to a DNS server that looks for a local domain controller. Only after this query has failed will the DNS server look to another office to locate a domain controller. This can slow down the logon process significantly. Jason should install a domain controller in the branch office to improve logon times.

[A: A global catalog server is needed only in the case of a multidomain network.]

[B: Although adding a DNS server will speed up the name resolution, it will not address the issue of querying for a DNS server across the WAN line.]

[D: Because the slow query is the issue here, a faster line such as a T3 will not improve the situation.]

One of the tasks handled by the PDC emulator is that of a time synchronization master, synchronizing the time on the various domain controllers. This error can occur if the PDC emulator is offline for any reason.

Global catalog servers contain a subset of information about all resources within the Active Directory forest. By default, only the first domain controller installed in a new forest is automatically a global catalog. In this instance, this would be in Houston, because this is the location of the forest root domain.

[A: A site link bridge consists of two or more links with one site in common. It provides a path for inter-site traffic to proceed at a cost of the sum of the costs of the individual links in the bridge. Its use would not help with the current scenario.]

[B: Enabling of universal group caching would ensure that users can log on, but would not facilitate the location of resources in other domains.]

[C: By default, only the first domain controller installed in a new forest is automatically a global catalog. In this instance, this would be in Houston, because this is the location of the forest root domain. There is no need for an additional global catalog server at this location.]

The domain controller rename feature is new to Windows Server 2003, and consequently the domain must be operating at the Windows Server 2003 functional level. In this scenario, there are two Windows 2000 domain controllers that must be upgraded to Windows Server 2003, and then you can upgrade the domain functional level to Windows Server 2003.

An application directory partition is a new feature of Windows Server 2003 that contains application-specific data that needs to be replicated to only specific domain controllers in the Active Directory forest.

[A: Active Directory-integrated DNS introduces benefits to the name resolution process such as fault tolerance of the DNS database (which is stored on an application directory partition) but in itself does not meet the requirements of this scenario.]

[B: You cannot store this type of data on a configuration directory partition.]

[D: Because you can use an application directory partition, there is no need for a server cluster.]

A site link bridge is a chain of site links that allow any two domain controllers to communicate directly with each other, whether or not they are directly connected with a site link. In the case that many of the sites are less well connected (as with the 56k dial-up lines), it is desirable to create another site link bridge. This enables Chris to configure a different replication schedule for the less well-connected locations.

To move a user account from one domain to another, Doug needs to use the Movetree command utility. This utility modifies the user account's security identifier (SID) to fit the new domain, but does not change its globally unique identifier (GUID).

[A: The ADMT tool is used to migrate accounts from a Windows NT 4.0 domain to an Active Directory domain, but not from one Active Directory domain or another.]

[C: The Copy command can be used only to create a copy of a user account with a new name but existing within the same container (domain, OU, etc.).]

[D: The Move command from the right-click menu in Active Directory Users and Computers can be used to move an account only within the domain in which it is located, and not between domains.]

The Windows Server 2003 Administrative Tools Package is designed to enable the administration of Active Directory from a member server running Windows Server 2003 or a client computer running Windows XP Professional. Once you have done so, it is possible to create a new OU using Active Directory Users and Computers (not Active Directory Domains and Trusts).

[B: The Windows Server 2003 Administrative Tools Package is designed to enable the administration of Active Directory from a member server running Windows Server 2003 or a client computer running Windows XP Professional. Once you have done so, it is possible to create a new OU using Active Directory Users and Computers (not Active Directory Domains and Trusts).]

[C & D: It is not possible to install Active Directory on a Windows XP Professional computer.]

The password complexity policy normally specifies that a password must contain at least three of the following four groups of characters: capital letters, lowercase letters, numerals, and special characters. Password policies and other account policies must be set at the domain level; if they are set at the OU level, the settings are ignored. This account policy becomes the default policy of any Windows 2000/XP/Windows Server 2003 computer that is a member of the domain, for purposes of domain logons.

[A: Although specifying No Override at the domain level would block the application of OU-based GPOs, this is not the reason the password was accepted in this case.]

[C: Group policies of any kind cannot be linked to security groups; they are linked only to sites, domain, or OUs.]

[D: Although group policies such as desktop configuration policies are not applied until a user has logged off and logged back on again, this is not the reason that the stronger password policy was not applied in this situation.]

Autoenrollment of users for smart card certificates is a multi-step process that starts with creating a copy of the enrollment agent template from the Certificate Templates snap-in.

[B: This template was originally created for Windows 2000 and does not support certificate autoenrollment. Hence, you cannot directly grant the Autoenroll permission on this template.]

[C & D: Although this would enable enrollment of users for smart card certificates, it would not enable autoenrollment.]

You can configure a series of security settings by using the Security Templates snap-in. It provides a series of predefined templates that you can copy and/or edit as required. One characteristic of the Hisecdc template is that it does not allow communication with pre-Windows 2000 computers except for Windows NT 4.0 computers with Service Pack 4 or higher. Because this scenario includes Windows 98 client computers, you should use the Securedc template instead. GPOs configured at any domain level do not propagate to child domains, only to the domain at which they are configured. Therefore, you need to configure a GPO for each domain or create another GPO and link it to all three domains.

There is the possibility that permissions set on the Users group are interfering with Joe's ability to reset passwords as assigned with the Delegation of Control Wizard.

[A & C: It is unlikely that permissions on Joe's account or on the Office5 OU are incorrect since he was able to perform other tasks.]

[D: There is no setting within Group Policy that would block Joe's ability to reset passwords.]

The Movetree utility, found in the Windows Server 2003 support tools package that can be installed from the Windows Server 2003 CD-ROM, is used to move an object from one domain to another, as required in this scenario. You must initiate this move on the RID master and not the infrastructure master or any other domain controller. The Dsmov utility can move an object from one location in Active Directory to another, but only within the same domain. Likewise, the right-click function can move the object only within the same domain.

Universal groups are available in forests containing domains operating at the Windows 2000 native functional level and above, and facilitate the granting of access in situations like this one. It is recommended to add global groups containing the users to the universal group, rather than adding individual users to the universal group, because this reduces the replication traffic that would be needed whenever the membership of the universal group changes.

The three main ways in which OUs can be designed are according to physical location, departmental structure, and role (such as placing all computer objects in one OU and all user objects in another OU).

The optimum manner of designing Active Directory in this scenario is for Paul to create separate OUs for each manufacturing division as well as separate OUs for the managerial and sales staff. He can then delegate administrative control to the appropriate support staff using the Delegation of Control Wizard.

For a domain user to successfully enroll for a smart card logon or smart card user certificate, you need to grant the user the Enroll permission to the certificate template that is stored in Active Directory. You can do this for the user specifically or for a group to which he belongs. You can specify the need for smart card use during logon from a user's Properties dialog box, but this is not needed to enable smart card enrollment. Although only domain administrators by default have permission to request certificates, this permission can be granted to other users; consequently Jason does not need to belong to the Domain Admins group. Only if a complete replication failure has occurred would the certificate template file not be available.

The Upgrade tab of a software's Properties dialog box enables Rachel to specify conditions of a software upgrade. She needs to specify the packages that this package will upgrade (in this case, Office 2000) and the packages in the current GPO that will upgrade this package (in this case, Office 2003). To make the upgrade required, she merely needs to select the "Required upgrade for existing packages" check box, which is the action she should perform at the 60-day limit.

RSoP used in logging mode, and the GPRESULT tool can be used to determine the effects of Group Policy on a user/computer combination in cases such as this where the user has logged on and discovered a problem that prevents her from working properly. You would use RSoP in planning mode to model the effects of Group Policy on a new user/computer combination or some type of change in the user's properties such as group membership.

[A: You would use RSoP in planning mode to model the effects of Group Policy on a new user/computer combination or some type of change in the user's properties such as group membership, but not to determine the effects of Group Policy on a user/computer combination in cases such as.]

[C: GPUPDATE is used to refresh group policy settings that are stored in Active Directory.]

[D: GPOTOOL allows you to monitor the health of GPOs on domain controllers running Windows 2000.]

By default, Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators all have the Allow log on locally user right.

Users are still able to login with non-conforming passwords because they have not yet been forced to change them. The password policy will not audit existing passwords, but applies during the password change process. If users do not change their passwords, then they are not affected by the changes in the policy.

In this scenario, users need to log on across the leased lines to the domain controllers in the San Diego head office, with consequent delays in authentication. By installing a domain controller at each store, users can log on without the need to utilize the leased line.

[B & C: Because there is only a single domain in this scenario, it is not necessary to have a global catalog server at each site, nor is there need for universal group caching.]

[D: Limiting replication of Active Directory to night will help, but is not the first step that Laura needs to take in order to improve user logon response.]

When you need to recover an object that has been deleted from Active Directory, you need to authoritatively restore that object. To do so, you need to start the domain controller in Directory Services Restore mode, restore the System State of the domain controller, and then use the ntdsutil utility to mark the restored objects as authoritative, thereby increasing their USNs so that more recent changes do not overwrite the restore.

[A: It is not necessary to recreate the OU.]

[C: It is impossible to restore just ntds.dit and SYSVOL from a backup; you must restore the entire System State.]

[F: If you were to force replication, this would result in your restored objects being deleted again.]

The New Trust Wizard provides two scopes of authentication: domain-wide, which authenticates users for all resources in the trusting domain (Screwdrivers Unlimited) and selective, which does not create any default authentication. Evan needs to specify selective authentication, and then the administrators in the Screwdrivers Unlimited domain need to configure the permissions on the resources that can be accessed.

[A & B: It is not possible to make a server in one forest a global catalog server in another forest. If he wanted Server3 to become a member server in the Helpful Hardware forest, Screwdrivers Unlimited would need to move the server or create a dedicated link to the Helpful Hardware network. But this would create problems for Screwdrivers Unlimited accessing their own server.]

[D: If he created an external trust relationship, it would not do anything towards limiting the level of authentication in the other forest; he would still have to specify selective authentication.]

Repadmin is a command-line tool that monitors and reports on failures across a replication link. The output of the Repadmin /showreps branchdc.corp.com command displays the replication partners and any replication link failures across this link. Dcdiag tests several aspects of domain controllers including their DNS registration and replication errors. It also identifies the intersite topology generator (ISTG) at each site. You can test for replication errors by issuing the Dcdiag /test:replications command. Replmon can determine the holders of the operations masters and global catalog server roles and monitor replication status.

[A: Netdom is a command-line tool for branch management of trusts, joining computers to domains, and verifying trusts. It does not monitor Active Directory replication.]

For a Windows NT 4.0 client to make a password change, the PDC emulator must be available. This computer acts as a Windows NT 4.0 PDC for downlevel (Windows NT or 9x) clients; because a backup domain controller (BDC) cannot perform this role for these clients, the users were unable to change their passwords. Consequently, Priscilla must seize the role of PDC emulator at one of the active domain controllers. She can do this by running Ntdsutil.exe from the command prompt at the domain controller that is to assume this role.

Active Directory uses the concept of sites to physically divide the network and control replication. In this situation, even though the office towers are adjacent, adding at least one additional site for the second office tower and configuring a limited frequency of replication between sites will free up bandwidth to facilitate logons.

[A & B: There is no need to create additional domains or OUs, as these would be unlikely to improve logon times in this scenario.]

[D: Promoting member servers to domain controllers would only increase the amount of network bandwidth used for replication.]

The simplest way to proceed in this scenario is to add the new site to the existing site link. This works well if all three sites are connected with a similar backbone, the replication schedules are the same between all sites, and the cost is the same for all links. By default, all site links are bridged in terms of cost values.

[B & C: There is no need to create additional site links or site link bridges, because all sites are connected with a similar type of connection and the same replication schedule can be used throughout.]

[D: Because all sites are connected with a similar type of connection and the same replication schedule can be used throughout, there is also no need to create an SMTP link.]

The Active Directory Schema snap-in does not appear in the Add Standalone Snap-in dialog box until Shelley has registered it by running the regsvr32 schmmgmt.dll command.

The RID master is responsible for assigning relative identifiers (RIDs) to each newly created Active Directory object. It assigns a series of RIDs to each domain controller as required. If it is not available, a domain controller can continue to create Active Directory objects until its available pool of RIDs has been exhausted.

A shortcut trust is a trust relationship between two child domains in the same forest, which optimizes the authentication and resource access processes when a large number of users need to access a different domain in another tree of the same forest. It shortens the trust path that Windows Server 2003 security takes for authentication and resource access control.

[A: An external trust provides an authentication path between two domains in different forests. In this case, you would need a shortcut trust.]

[C: Global catalog servers facilitate the location of resources in different domains of the same forest, but the actual access path still must flow through the tree root domains in the absence of a shortcut trust.]

[D: Site links connect sites and not domains.]

Events that relate to user management activities are recorded in the security log on the domain controller where the events took place. When a log contains a large number of entries, the manual location of an appropriate record may be difficult and time consuming. For this reason, Event Viewer provides the Find and Filter commands and their associated dialog boxes. Both of these commands permit searching of the logs by event type, event source, category, Event ID, user, and computer. In either one, Brent can specify searching for a success audit event in the Account Management category. The Find command provides the additional functionality of the Description text box, which does not appear in the Filter dialog box. This permits Brent to specify any information that he should expect to find in the logged event[md]in this case, he should find Connie's user name under the category Target Account Name. As a result, Brent can find the appropriate event more easily by using the Find command rather than the Filter command.

By default, replication between pairs of domain controllers occurs within 5 minutes of a change. Within the site, you need to consider the entire replication topology in knowing how long it will take replication to propagate to all domain controllers. By default, domain controllers within a site are connected with a bi-directional ring topology that includes enough connectors so that no two domain controller are more than three hops from each other. Thus the maximum time for the change to replicate to every domain controller within a site is 15 minutes.

Event Viewer provides the Directory Services log on domain controllers, which logs all important error, warning, and informational messages pertaining to the proper functioning of Active Directory. This includes connectivity and replication problems that could be causing slow logon responses. Frank can also use Replmon to monitor replication topology and status.

[B: Frank would use NBTSTAT only if he suspected a TCP/IP problem (which would most likely result in a complete inability to log on).]

[D: He might want to use Network Monitor to ascertain what is causing a high level of network traffic if other tools suggest an overloaded network link is causing the problems, but this is not one of the first tools he would use.]

[E: He would use GPRESULT only if there was a problem in applying Group Policy settings.]

Active Directory provides the LostAndFound container to resolve situations like this one. This container holds such orphaned objects so that an administrator can recover them and move them to an appropriate location. It is good practice for the head administrator to check this container from time to time.

[A, B & C: Although the deletion of a container results in the deletion of any objects contained therein, this deletion does not carry over to any objects placed in the container elsewhere after it has been deleted and replication has not yet taken place. This act does not cause the cancellation of the deletion, nor does it place the orphaned object in the domain root.]

When all domain controllers in a domain have been lost, you should perform a primary restore to rebuild the domain properly. This type of restore builds a new File Replication Service (FRS) database by loading the data present in the SYSVOL folder to the restored domain controller. To perform a primary restore, access the advanced options in the Restore Wizard and select the "When restoring replicated data sets, mark the restored data as the primary data for all replicas" option.

[A: You would perform an authoritative restore only when you have accidentally deleted one or more Active Directory objects and the deletion has been replicated to other domain controllers.]

[B: You would perform a non-authoritative restore when at least one other domain controller in the same domain is available and in working condition.]

[C: A normal restore is the same as a non-authoritative restore.]

The New Object-Site dialog box asks for the name of the new site and the site link object to be used by the site. If you have not created any site link objects, it supplies the DEFAULTIPSITELINK object. Once you have created the site, Active Directory provides a reminder dialog box that lists tasks you should complete in order to fully configure the new site.

You can create GPOs that are linked to any site, domain, or OU within your Active Directory structure. This includes child domains and child OUs.

[B & F: The Computers and Builtin containers are not OUs and you cannot create GPOs linked to these containers.]

The Advanced folder redirection option allows Kathy to specify locations for various user groups. It redirects folders to different locations dependent upon the users' security group memberships. She can specify UNC paths for the various security groups to enable redirection to the appropriate servers.

[A: The Basic option redirects everyone's My Documents folder to the same location. It would be possible to use this option in two GPOs and filter the effects of these GPOs, but this would take more administrative effort.]

[B: It is not possible to filter two policies in the same GPO to apply to different groups.]

[D: Because Kathy was asked to redirect folders belonging to users in the Engineering department, she should link the GPO to the Engineering OU and not to the domain.]

Restricted Groups is a new security option policy that allows you to determine who can be a member of a group, and what groups the group can be a member of. You can use this feature to define the membership of local groups such as the local Administrators group.

[A: An audit policy would tell you who has added themselves to the local Administrators group but would not stop such additions from occurring.]

[B: A software restriction policy would stop unapproved software from running and prevent many instances of viruses and corruption, but this was not what the question specified.]

[D: There is no user rights policy that would deny local administrators the right to install software.]

The .msp file is a software update file that can include bug fixes, and you can use this file to update an existing .msi file. It provides instructions about applying the updated files and Registry keys in the software patch, service pack, or software upgrade. When you redeploy it from the original distribution point, users will automatically receive the updated application.

[B: An .mst file is a modification package that is used to customize the installation of an application. It permits the application to be tailored to fit the needs of specific groups of users. It is not used to upgrade an application package.]

[C: It is not possible to publish the .msp file alone by using Software Installation and Maintenance; you must use the file to modify an existing Windows Installer package.]

[D: A .zap file is created to use Windows Installer for deploying legacy packages by using their setup.exe or install.exe file.]

Jennifer can either publish or assign applications by using a GPO. If she assigns the application to a user, it is advertised on the user's computer in the Start menu and is installed when the user double-clicks on the application or opens a file with an extension associated with the application. If she publishes it to a user, it is not advertised in the same way; it can be installed from the Add or Remove Programs applet or by opening a file containing an extension associated with the application. By default, the Authenticated Users group is given the Read and Apply Group Policy permissions when a GPO is created. This gives the users the permission to install an application that is either published or assigned to the users. As with any GPO, it is not possible to deploy it to a group. The .msi file should be placed on a shared network location.

The Gpupdate command is new to Windows XP and Windows Server 2003 and causes an immediate refresh of Group Policy settings in the local computer or Active Directory. It replaces the Secedit /refreshpolicy command that was used for this purpose in Windows 2000 Active Directory.

[A: Debbie could force the remote computers to shut down and restart from the Computer Management snap-in, but this inconveniences the users and takes a lot of administrative effort to do it repeatedly.]

[B: Gpresult generates a list of Group Policy settings that are actually applied to the client computer, but does not force the immediate application of policies.]

[C: The Secedit /refreshpolicy command that was used for this purpose in Windows 2000 Active Directory, but is not used in Windows 2003 Server.]

To set an account lockout policy, Mike must edit a GPO that is linked to the domain, and not to an individual OU. This is because account policies must be set at the domain level; otherwise they are ignored. Within the GPO, he proceeds to the Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy node, and configures the Account lockout threshold policy for four unsuccessful logon attempts. Once configured, these settings will apply to all users in the domain, not just the Support OU.

GPOs are applied in the following sequence: Local, Site, Domain, OU. If two policies have conflicting settings, then by default, the policy that is applies last will override any earlier policies. Any other policies that have been applied at a higher level (e.g., domain) and are set to Not Configured at the lower level (e.g., OU) will also apply. If you want to have the domain-based policies not to apply to the OU, you should configure Block Policy Inheritance at the OU level. This setting affects all Group Policy settings that have been applied at a higher level regardless of which GPO they are specified in.

[A: Configuring Block Policy Inheritance at the domain level would only block policies applied at the local or site level, which is not what is required here.]

[C: Configuring No Override on the DesPolicy GPO would prevent policies applied at a later level (child OU, if one exists) from overwriting policies on the DesPolicy GPO.]

[D: Configuring No Override on a GPO at the domain level would prevent the DesPolicy GPO from overwriting policies at the domain level, which is the opposite effect to what is required here.]

Logon and logoff scripts are assigned to the users that require them and are executed when the user logs on or off, respectively. Alex can assign them by placing them in the User Configuration\Windows Settings\Scripts node in the appropriate GPO, which in this case is the GPO linked to the EngngWork OU.

[A: If he were to link the scripts to the Engng OU rather than the EngngWork OU, the Engineering users would be able to access them from any computer in the network and not just the computers in their own division, which is not what this scenario calls for.]

[B: If he were to assign the script as a startup script, it would be available to everyone who uses a computer located in the department, and not just the Engineering employees, because it executes before the logon screen appears.]

[D: Logon and logoff scripts are assigned to the users that require them and are executed when the user logs on or off, respectively. Alex can assign them by placing them in the User Configuration\Windows Settings\Scripts node in the appropriate GPO, which in this case is the GPO linked to the EngngWork OU.]

These settings, which are found in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node of Group Policy, enable digital signing of all communications between clients, servers, and domain controllers on the network, provided that the computers involved meet minimum requirements. The requirements include a minimum of Windows NT 4.0 with Service Pack 4; consequently, the BDC specified in this scenario will communicate using digital signing.

Group Policy enables you to categorize published software applications so that users find it easier to locate those that they need. The Software Installation Properties dialog box has a Categories tab where you can create categories and assign applications to the categories you have created. A Category drop-down list will appear in users' Add or Remove Programs applet listing the categories you have designated. You should do this for published rather than assigned applications, as the latter appear in users' Start menus rather than Control Panel Add or Remove Programs. Because Group Policy provides this feature, there is no need to send emails or create separate GPOs for software deployment.

Charles can configure an audit policy by accessing the Group Policy Object Editor snap-in for the appropriate GPO and navigating to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy node. This node contains a series of events that can be audited for either success or failure. In this case, he needs Account Management events, which include items such as the creation, change, or deletion of a user or group account, and also the renaming, disabling, or enabling of a user account or change of password.